class RuboCop::Cop::GitlabSecurity::SqlInjection
Check for use of where(“name = '#{params}'”)
Passing user input to where() without parameterization can result in SQL Injection
@example
# bad u = User.where("name = '#{params[:name]}'") # good (parameters) u = User.where("name = ? AND id = ?", params[:name], params[:id]) u = User.where(name: params[:name], id: params[:id])
Constants
- MSG
Public Instance Methods
on_send(node)
click to toggle source
# File lib/rubocop/cop/gitlab-security/sql_injection.rb, line 29 def on_send(node) return unless where_user_input?(node) return unless node.arguments.any? { |e| string_var_string?(e) } add_offense(node, location: :selector) end